[21481] in bugtraq
New Cold Fusion vulnerability
daemon@ATHENA.MIT.EDU (Jean-Francois Prieur)
Thu Jul 12 15:36:56 2001
Message-ID: <20010712083952.7388.qmail@securityfocus.com>
Date: Thu, 12 Jul 2001 04:39:29 -0400
From: "Jean-Francois Prieur" <jfp51@ebeing.com>
To: bugtraq@securityfocus.com
X-MDaemon-Deliver-To: bugtraq@securityfocus.com
Hello,
Like others I have seen the security advisory concerning Cold Fusion
versions 2 to 4.5.1 SP2. What concerns me, and, evidently, others on
the cold fusion boards, is the lack of details about this vulnerability.
Usually, you would see a serious vulnerability like this being
discussed on some mailing lists a few hours before a bulletin being
issued, yet in this case, nothing.
Maybe we are just paranoid, but since Allaire/Macromedia just released
vesion 5 which is not vulnerable, is this just a ploy to get people to
upgrade? This and the fact that there is a 3-8% performance degredation
when you install the patch makes me want to know more about this. Also,
if you are using NT4 and IIS, the patch breaks your server if you don't
install MSVCRT 6.0 runtime files beforehand, so be careful.
Anyone have any further info?
Thanks,
JF Prieur
